All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ServiceNow Incident Integration: How to create/update incident using alert

apujari
Explorer
‎05-13-2020 10:53 PM

I am using ServiceNow Incident Integration add-on to create/update incidents in ServiceNow. I have two alerts that runs on certain search conditions, alert_create_incident to create a new incident and alert_update_incident to close the incident. I am using the Correlation ID field for this and is working fine. Now the issue is with the Correlation ID set and the alert_create_incident runs next, it does not create a new incident but updates the previously closed incident state to new. I thought of running a script as alert action but end up with same situation: to set a dynamic correlation id for both the alerts.

Is there a way to generate the Correlation ID dynamically for each pair of create and update alerts. Any help/suggestions would be appreciated. Thanks

0 Karma
Reply

saroj_gharat
New Member
‎07-14-2022 02:29 AM

Were you able to resolve this ? We are planning to use Cor-relation id to update the same incident. But we do not want a closed incident to be opened again. @apujari 

0 Karma
Reply

ramganeshn
Explorer
‎07-14-2022 04:01 AM

Nope. I am not able to resolve this. I am using the same correlation ID. Still, a new incident is getting created every time. Any help on this is much appreciated.

0 Karma
Reply

ramganeshn
Explorer
‎07-07-2022 02:44 AM

Hi, I have a requirement to update an incident that had been created. Every time, my alert gets triggered, it gets a new incident created in ServiceNow. I would like to get some clarity here as to whether I can be able to close an incident once it is created or can I be able to update some comments or update status or update description/short description. Please help me with the steps or process to be followed in updating an incident.

I am trying to update an incident that was created by an alert action from Splunk ITSI. But, every time the alert gets triggered, a new incident is getting created instead of updating the existing incident. I tried everything mentioned in the link given below:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts#Update_behavior_...

Please guide as to what needs to be done to update a previously created incident? Should I need to get the status of the incident from ServiceNow and use that in the search query when I try to update the incident? 

Thanks!

0 Karma
Reply

kpanchal_splunk
Splunk Employee
Splunk Employee
‎07-25-2020 10:08 AM

@apujari 

ServiceNow add-on searches the incident based on its Correlation ID. Hence, the issue you are facing (re-opening the same incident) might be caused because you used a static correlation ID which refers to the same incident every time.

In order to create a new incident every time, you should use some unique field from your event in the Correlation ID. This will allow the ServiceNow add-on to create a new incident and prevent re-opening your closed incident

Hope this helps

Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...